🌐 API Gateway (KONG)¶

Centralized request routing, authentication, and API management

Overview¶

The KONG API Gateway serves as the primary entry point for all external requests to the Appgain platform. It handles request routing, authentication, rate limiting, and provides a unified interface for all backend services.

🏗️ Architecture¶

Core Responsibilities¶

Request Routing: Routes incoming requests to appropriate backend services
Authentication: Validates API keys, JWT tokens, and user credentials
Rate Limiting: Prevents API abuse and ensures fair usage
Load Balancing: Distributes traffic across multiple service instances
Request/Response Transformation: Modifies requests and responses as needed
Logging & Monitoring: Provides comprehensive request logging and metrics

Technology Stack¶

KONG Gateway: Open-source API gateway
PostgreSQL: Configuration and analytics storage
Redis: Rate limiting and caching
Nginx: Underlying web server

🔧 Configuration¶

Server Details¶

Server: ovh-kong
Port: 8000 (HTTP), 8443 (HTTPS)
Admin API: 8001 (HTTP), 8444 (HTTPS)

Key Plugins¶

# Authentication
- jwt: JWT token validation
- key-auth: API key authentication
- oauth2: OAuth 2.0 support

# Security
- cors: Cross-origin resource sharing
- ip-restriction: IP-based access control
- request-size-limiting: Request size limits

# Performance
- rate-limiting: API rate limiting
- proxy-cache: Response caching
- compression: Response compression

# Monitoring
- prometheus: Metrics collection
- file-log: Request logging
- http-log: HTTP request logging

Service Routes¶

Service	Route	Backend	Authentication
Appgain Server	`/a../*`	`ovh-appgain-server:3000`	JWT/API Key
Parse Server	`/parse/*`	`ovh-parse-server:1337`	Parse Session
Notify Service	`/notify/*`	`ovh-parse-server:3001`	JWT
Admin Server	`/admin/*`	`ovh-devops:5000`	JWT
Shopify Backend	`/shopify/*`	`ovh-shopify-backend:8456`	JWT/Shopify Token

🔐 Authentication¶

JWT Authentication¶

# JWT Token Format
Authorization: Bearer <jwt_token>

# Token Validation
- Issuer verification
- Audience validation
- Expiration checking
- Signature verification

API Key Authentication¶

# API Key Format
X-API-Key: <api_key>

# Key Validation
- Key existence check
- Rate limit enforcement
- Service access control

Parse Session Authentication¶

# Parse Session Format
X-Parse-Session-Token: <session_token>

# Session Validation
- Token verification against Parse Server
- User session validation
- Permission checking

📊 Monitoring & Metrics¶

Prometheus Metrics¶

# Request Metrics
kong_http_requests_total: Total HTTP requests
kong_http_requests_latency: Request latency
kong_http_requests_status: Response status codes

# Plugin Metrics
kong_plugin_requests_total: Plugin-specific requests
kong_plugin_latency: Plugin processing time

# System Metrics
kong_memory_workers: Memory usage per worker
kong_nginx_connections: Active connections

Health Checks¶

# Gateway Health
GET /status

# Service Health
GET /health

# Response Format
{
  "status": "healthy",
  "timestamp": "2024-01-01T00:00:00Z",
  "version": "3.4.0",
  "services": {
    "appgain-server": "healthy",
    "parse-server": "healthy",
    "notify-service": "healthy"
  }
}

🚀 Deployment¶

Docker Deployment¶

# docker-compose.yml
version: '3.8'
services:
  kong:
    image: kong:3.4
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_PG_PASSWORD: ask your direct manager for the access
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: 0.0.0.0:8001  # Standard localhost binding
      KONG_ADMIN_GUI_URL: http://localhost:8002
    ports:
      - "8000:8000"
      - "8443:8443"
      - "8001:8001"
      - "8444:8444"
    depends_on:
      - kong-database
    networks:
      - kong-net

  kong-database:
    image: postgres:13
    environment:
      POSTGRES_DB: kong
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: ask your direct manager for the access
    volumes:
      - kong-data:/var/lib/postgresql/data
    networks:
      - kong-net

volumes:
  kong-data:

networks:
  kong-net:
    driver: bridge

Configuration Management¶

# Declarative Configuration
KONG_DECLARATIVE_CONFIG: /etc/kong/kong.yml
KONG_DB_OFF: true

# Database Configuration
KONG_DATABASE: postgres
KONG_PG_HOST: localhost
KONG_PG_PORT: 5432
KONG_PG_DATABASE: kong
KONG_PG_USER: kong
        KONG_PG_PASSWORD: ask your direct manager for the access

🔍 Troubleshooting¶

Common Issues¶

1. Service Unavailable¶

# Check service health
curl -X GET http://localhost:8001/status

# Check service routes
curl -X GET http://localhost:8001/services

# Check service health
curl -X GET http://localhost:8001/services/{service}/health

2. Authentication Failures¶

# Check JWT plugin configuration
curl -X GET http://localhost:8001/plugins

# Test authentication
curl -X GET http://localhost:8000/a../test \
  -H "Authorization: Bearer <token>"

3. Rate Limiting Issues¶

# Check rate limit configuration
curl -X GET http://localhost:8001/plugins/rate-limiting

# Monitor rate limit usage
curl -X GET http://localhost:8001/plugins/rate-limiting/usage

Log Analysis¶

# Access logs
tail -f /var/log/kong/access.log

# Error logs
tail -f /var/log/kong/error.log

# Admin logs
tail -f /var/log/kong/admin.log

📚 API Documentation¶

Admin API Endpoints¶

# Services
GET    /services                    # List all services
POST   /services                    # Create a service
GET    /services/{service}          # Get service details
PATCH  /services/{service}          # Update service
DELETE /services/{service}          # Delete service

# Routes
GET    /routes                      # List all routes
POST   /routes                      # Create a route
GET    /routes/{route}              # Get route details
PATCH  /routes/{route}              # Update route
DELETE /routes/{route}              # Delete route

# Plugins
GET    /plugins                     # List all plugins
POST   /plugins                     # Create a plugin
GET    /plugins/{plugin}            # Get plugin details
PATCH  /plugins/{plugin}            # Update plugin
DELETE /plugins/{plugin}            # Delete plugin

Health Check Endpoints¶

# Gateway status
GET /status

# Service health
GET /health

# Plugin health
GET /plugins/{plugin}/health

🔧 Development¶

Local Development Setup¶

# Start Kong with database
docker-compose up -d kong-database

# Run migrations
docker run --rm \
  -e "KONG_DATABASE=postgres" \
  -e "KONG_PG_HOST=kong-database" \
  -e "KONG_PG_DATABASE=kong" \
  -e "KONG_PG_USER=kong" \
  -e "KONG_PG_PASSWORD=ask your direct manager for the access" \
  kong:3.4 kong migrations bootstrap

# Start Kong
docker-compose up -d kong

Testing Configuration¶

# Test service connectivity
curl -X GET http://localhost:8000/a../health

# Test authentication
curl -X GET http://localhost:8000/a../protected \
  -H "Authorization: Bearer <token>"

# Test rate limiting
for i in {1..10}; do
  curl -X GET http://localhost:8000/a../test
done

📈 Performance Optimization¶

Caching Strategy¶

# Proxy Cache Plugin
proxy-cache:
  response_code: [200, 301, 404]
  content_type: ["text/plain", "application/json"]
  cache_ttl: 300
  strategy: memory

Rate Limiting Configuration¶

# Rate Limiting Plugin
rate-limiting:
  minute: 100
  hour: 1000
  day: 10000
  policy: local

Load Balancing¶

# Upstream Configuration
upstreams:
  - name: appgain-server
    algorithm: round-robin
    targets:
      - target: ovh-appgain-server:3000
        weight: 100

🔒 Security Best Practices¶

SSL/TLS Configuration¶

# SSL Configuration
ssl_certificate: /etc/ssl/certs/kong.crt
ssl_certificate_key: /etc/ssl/private/kong.key
ssl_protocols: TLSv1.2 TLSv1.3
ssl_ciphers: ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512

Security Headers¶

# Security Headers Plugin
response-transformer:
  add:
    headers:
      - "X-Frame-Options: DENY"
      - "X-Content-Type-Options: nosniff"
      - "X-XSS-Protection: 1; mode=block"
      - "Strict-Transport-Security: max-age=31536000; includeSubDomains"

IP Restrictions¶

# IP Restriction Plugin
ip-restriction:
  allow: ["internal_network_ranges"]
  deny: ["external_networks"]